Analysis
-
max time kernel
105s -
max time network
50s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
04-07-2020 06:33
Static task
static1
Behavioral task
behavioral1
Sample
Document_Covid-19_7.xls
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
Document_Covid-19_7.xls
-
Size
85KB
-
MD5
58b62b641066a1ea49e34a2f711a1854
-
SHA1
4bf1830ed130fe97e50807b1a4ba4749c8fefe75
-
SHA256
810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5
-
SHA512
82b4f73fe39cedd829178c72774094746bf471ac6d3e740339733045851c8831525a506bf8682c4e0bdcf34a1fac09d263e700c08d14ee1ca0748025c4091cb2
Score
6/10
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1392 1064 DW20.EXE EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEDW20.EXEdescription pid process target process PID 1064 wrote to memory of 1392 1064 EXCEL.EXE DW20.EXE PID 1064 wrote to memory of 1392 1064 EXCEL.EXE DW20.EXE PID 1064 wrote to memory of 1392 1064 EXCEL.EXE DW20.EXE PID 1064 wrote to memory of 1392 1064 EXCEL.EXE DW20.EXE PID 1064 wrote to memory of 1392 1064 EXCEL.EXE DW20.EXE PID 1392 wrote to memory of 1428 1392 DW20.EXE dwwin.exe PID 1392 wrote to memory of 1428 1392 DW20.EXE dwwin.exe PID 1392 wrote to memory of 1428 1392 DW20.EXE dwwin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwwin.exepid process 1428 dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1064 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1064 EXCEL.EXE 1064 EXCEL.EXE 1064 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
EXCEL.EXEpid process 1064 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Document_Covid-19_7.xls1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
-
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 11642⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 11643⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\94973.cvr
-
memory/1392-0-0x0000000000000000-mapping.dmp
-
memory/1428-1-0x0000000000000000-mapping.dmp
-
memory/1428-2-0x0000000001E10000-0x0000000001E21000-memory.dmpFilesize
68KB
-
memory/1428-4-0x0000000002290000-0x00000000022A1000-memory.dmpFilesize
68KB